General observations re. credit cards used on Epik. Yeah, if you used it at Epik (and/or have it stored) - cancel it. Ask your bank also to add it to "stop list" as an extra security measure (delayed or offline authorizations or charges may still be possible).
Other registrars _may_ accept something like a correct answer to "what are the last 4 digits of your CC" question as a way to verify who the customer is in case of lets say incoming phone calls - So, remove this CC from other registrars.
Switching to one time virtual cards is a good idea. If it is unavailable at your bank (or your country) - then you may switch to debit cards (would be harder to spend a lot of your $$$ in case of potential future hacks - no credit line), or to prepaid gifts cards. If virtual cards are unavailable - most banks would be happy to issue extra cards (linked to the same account), so, at least: one card for "registrar A" exclusively, another card for "drop catcher B" exclsively, etc, etc, etc. Should either be hacked - you'll have to cancel just the 1 card used with this service only. Do not maintain a large balance, just what is necessary for daily needs.
At this time, however, I'd avoid using any type of debit or credit cards with Epik (except, possibly, 1 time virtual cards).
Not only different passwords - but also different usernames, and different emails - at least for critical services you use daily. Checking a lot of webmail inboxes may not be convinient though - so, consider a pop3/imap client (but, it will decrease the security as there is no 2FA in imap and pop3). Stop using windows (any version). Mac - maybe, but as a temporary solution only. Linux workstation appears to be the best at this time. Do not try Ubuntu though (they are becoming less and less trusted/secure). The last Debian should be OK.
Sorry, too offtopic already. Maybe
@Paul can start a separate sticky thread with all the relevant recommendations (and his final findings!) in light of epik breach... and move the related posts from this thread to it
